1. 程式人生 > >Openssl建立SSL雙向認證連線原始碼

Openssl建立SSL雙向認證連線原始碼

 (作者:陳波,2011-11-16,轉載請註明 Form:http://blog.csdn.net/jinhill/article/details/6979200) 

#include "stdio.h"
#include "string.h"
#include "openssl/ssl.h"
#include "openssl/bio.h"
#include "openssl/err.h"

#pragma comment(lib, "WS2_32.lib")
#pragma comment(lib, "libeay32.lib")
#pragma comment(lib, "ssleay32.lib")

//獲取伺服器證書
int GetSrvCert(SSL * ssl, X509 ** pCert)
{
    int rv = -1;
    if(ssl == NULL) 
 {
  return rv;
 }
    rv = SSL_get_verify_result(ssl);
    *pCert = SSL_get_peer_certificate(ssl);
    return rv;
}

//驗證證書的合法性
int VerifyCert(X509 * pCert, const char * hostname)
{
    char commonName [512] = {0};
    X509_NAME * name = NULL;

    if(pCert == NULL || hostname == NULL) 
 {
  return -1;
 }
    //獲取commonName
    name = X509_get_subject_name(pCert);
    X509_NAME_get_text_by_NID(name, NID_commonName, commonName, 512);
    fprintf(stderr, "VerifyCert - Common Name on certificate: %s\n", commonName);
    if(strcmp(commonName, hostname) == 0) 
 {
  return 1;
 }
    else 
 {
  return 0;
 }
}

int main()
{
    BIO *bio = NULL;
    SSL *ssl = NULL;
    SSL_CTX *ctx = NULL;
    X509 *pCert = NULL;

    int nRead = 0;
 int nTotalLen = 0;

    char szHttpReq[255] = "GET / HTTP/1.1\r\nHost: www.jinhill.com\r\nConnection: Close\r\n\r\n";
    char szResp[1024] = {0};

    //初始化SSL庫
 SSL_library_init();
 
    ERR_load_BIO_strings();
    SSL_load_error_strings();
 //新增SSL握手時所有支援的演算法
    OpenSSL_add_all_algorithms();

 //設定客戶端使用的SSL版本
 SSL_METHOD* sslMethod = (SSL_METHOD*)SSLv3_client_method();
 //建立SSL上下文環境 每個程序只需維護一個SSL_CTX結構體
 ctx = SSL_CTX_new(sslMethod);

    //載入受信任的根證書
    if(! SSL_CTX_load_verify_locations(ctx, "JinhillRootCA.cer", NULL))
    {
        fprintf(stderr, "Error loading trust store\n");
        ERR_print_errors_fp(stderr);
        SSL_CTX_free(ctx);
        return 0;
    }

    //設定證書密碼
 SSL_CTX_set_default_passwd_cb_userdata(ctx, "1234");
 //讀取證書檔案
 SSL_CTX_use_certificate_file(ctx,"cb.crt",SSL_FILETYPE_PEM);
 //讀取金鑰檔案
 SSL_CTX_use_PrivateKey_file(ctx,"cb.key",SSL_FILETYPE_PEM);
 //驗證金鑰是否與證書一致
 SSL_CTX_check_private_key(ctx);

    bio = BIO_new_ssl_connect(ctx);
    BIO_get_ssl(bio, &ssl);
 //裝置SSL連線模式自動重試
    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
 //建議連線
    BIO_set_conn_hostname(bio, "www.jinhill.com:443");
    fprintf(stderr, "Connecting to host www.jinhill.com\n");
    if(BIO_do_connect(bio) <= 0)
    {
        fprintf(stderr, "Error attempting to connect\n");
        ERR_print_errors_fp(stderr);
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return 0;
    }

    fprintf(stderr, "Retrieving peer certificate\n");
 //獲取伺服器證書
    if(GetSrvCert(ssl, &pCert) != X509_V_OK)
    {
        fprintf(stderr, "Certificate verification error: %i\n", SSL_get_verify_result(ssl));
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return 0;
    }

    //校驗伺服器證書
    fprintf(stderr, "Validating peer certificate\n");
    if(! VerifyCert(pCert, "www.jinhill.com"))
    {
        fprintf(stderr, "Hostname and Common Name do not match\n");
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return 0;
    }
 //傳送HTTP請求
    fprintf(stderr, "Sending szHttpReq\n");
    BIO_write(bio, szHttpReq, strlen(szHttpReq));
 //讀取HTTP響應
    fprintf(stderr, "Reading response\n");
    nTotalLen = 0;
    while(1)
    {
        nRead = BIO_read(bio, szResp, 1024);
        if(nRead <= 0) 
  {
   break;
  }
        szResp[nRead] = 0;
  nTotalLen += nRead;
        printf("%s", szResp);
    }

    printf("\nTotal bytes read: %i\n", nTotalLen);
 //關閉連線
    BIO_free_all(bio);
    SSL_CTX_free(ctx);
    return 0;
}